Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

New Locky Variant ‘IKARUSdilapidated’ Strikes Again

For a second time this month, a Locky ransomware variant called IKARUSdilapidated is part of a calculated phishing attack targeting office workers with fake scanned image attachments.

A second wave of the Locky ransomware variant called IKARUSdilapidated has been identified by security experts. The source of the ransomware is a botnet of zombie computers coordinated to launch phishing attacks that send emails and attachments appearing to come from a targeted recipient’s trusted business-class multifunction printer.

This is the second wave of IKARUSdilapidated ransomware spotted in the past month, according to Comodo Threat Intelligence Lab. The original attack, first identified on Aug. 9 and lasting three days, utilized spam messages that contained little to no content along with a malicious Visual Basic Script attachment.

“This is a more mature campaign, targeting office workers whose workstations are part of a corporate network linked to multifunction scanners and printers,” said Fatih Orhan, director of technology at Comodo, in an interview with Threatpost. “As many employees today scan original documents at the company printer and email them to themselves and others, this malware-laden email will look very innocent.”

Emails part of the campaign use a popular printer model in the subject line to trick users into thinking the messages are legitimate. One such message reads, “Scanned image from M-2600N”. MX-2600N is the model of a leading enterprise-class Sharp multifunction printer. Messages contained malicious JavaScript attachments that if clicked on initiated a dropper program that downloaded the IKARUSdilapidated ransomware.

This most recent campaign was delivered over the course of three days starting Aug. 18 in three stages. The first two stages of the attack were the largest and involved the bogus scanned image attachment.

The third smaller wave differed and featured a message purporting to from a French post office with the word “FACTURE” in the subject line. FACTURE translates to a bill or billing inquiry in French. Emails come from a Laposte.net email address which is a domain used by a popular French post office company, according to Comodo. FACTURE messages also contained malicious JavaScript attachment compressed in a .rar archive format. Once clicked on, dropper malware would download the IKARUSdilapidated ransomware.

“In contrast to the initial (Aug. 9) 2017 IKARUSdilapidated Locky campaign, which distributed malware with the ‘.diablo’ extension and a script that is a Visual Basic Script, both new attacks have interesting variations to fool users with social engineering and to fool security administrators and their machine learning algorithms and signature-based tools,” researchers said in a technical analysis of the attack.

The name of the Locky ransomware strain IKARUSdilapidated is derived from a text string found in the code of the malicious file downloaded by the dropper. Researchers say IKARUSdilapidated is a variant of Locky because they share many of the same characteristics such as encrypted filenames converted to a unique 16-letter and number combination.

“This shows that the malware authors are evolving and changing methods to reach more users and bypass security methods,” Orhan said.

According to an analysis of the botnet used in the attacks 54,048 IP addresses were used in the “scanned image” campaign – 27 percent of those were also used in the original attack that began on Aug. 9. The top source countries behind the “zombie computer” botnet are Vietnam, Turkey, India and Mexico. Targeted countries included European and Southern Asia-based countries with minimal targeting of the United States and Russia.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.